Balance on the Fine Line of Employee Privacy

Everyone gets a little touchy about the privacy issue. What's business as usual to one employee may be a serious personal invasion to another. Employers need to look to the law for guidance on this highly subjective subject—one that spans from hiring practices to surveillance operations. And differentiating between private and public information will only get more complicated as we expand into E-mail and voicemail arenas.

Gerald Skoning, partner at Chicago-based employment law firm Seyfarth, Shaw, Fairweather & Geraldson and editor of the firm's newsletter, Labor & Legislative Report, offers some advice on gauging the line between what employees have a right to keep private and what employers have a right to know.

Is employee privacy really becoming a serious issue?With the technological explosion we're experiencing, we've got quite a number of risks in terms of personal privacy and confidentiality. I think a lot of people are much more sensitive to privacy concerns in this day and age than perhaps ever before because of the types of technology that by their very nature carry with them risks to confidentiality. We all feel a little more vulnerable. It's a "Big Brother Is Watching" sort of an Orwellian society we're headed toward. At the same time I think that the courts and juries are going to be pretty vigilant in protecting unnecessary intrusions into individual rights to privacy. So I think as a trend, if a plaintiff employee can point to a federal statute that says these materials are supposed to be confidential, and an employer negligently or intentionally breaches that confidentiality, it's a pretty sensitive case to be presenting to a jury.

You mention new technology as a potential trouble spot. What areas of technology do you see as problems?In terms of areas where we've advised our clients: The surveillance cameras companies use to guard against security breaches or theft, the Email systems that many large companies use for intra-office or inter-office communication, the use of PCs and what goes into a PC data bank. Some of our clients use phone banks for sales, and they want to monitor them to make sure that they aren't being abused. These are kind of the new cutting-edge areas of privacy and confidentiality.

So is there any basic guideline to know when you're crossing the line?The fundamental issues in all of these cases, particularly dealing with PCs and E-mail and so on—and I'm generalizing in terms of the state of the law of privacy—is whether the employee has a reasonable expectation of privacy. Whether its his E-mail bank or her PC input—Is there a reasonable expectation of privacy? That's basically the standard that's applied under the law. So the way an employer protects itself against claims by an employee that there is this expectation of privacy is to defeat the expectation of privacy up front by various types of disclaimers.

Can you give an example of what this disclaimer would look like?For instance with a PC, before you access the system, a disclaimer comes up on the screen, and says as an example: "This computer network, including all data files and applications, is the property of XYZ corporation. All materials and information created, transmitted or stored on this system are the property of XYZ corporation and may be accessed by authorized personnel." In other words, anyone can access that data. The final statement is "Users should not have any expectation of privacy with respect to the materials and information stored on the system." That legally removes any expectation of privacy.

Would a similar notice work for such things as security cameras?Exactly: "Employees are advised that we maintain security cameras that routinely scan the work area. These cameras will be monitored to ascertain that security is maintained, and people should understand that there's no expectation of privacy with respect to activities in the workplace."

What's the best way to communicate this notice?There are a lot of ways to do it. You can circulate a memo to all personnel. The problem there is proving that everyone got it. If you're really concerned about the potential for someone getting upset about a breach of privacy rights, when they sign on with the company, you could have them sign a declaration of understanding that they've been advised of the policies, and that they understand that they have no right to privacy as to activities in the workplace. The same story with phone banks. Let employees know that phones will be monitored as necessary to protect legitimate business interests involved in sales activity.

How else may companies overstep the privacy boundaries?One area is psychological testing for job applicants, which a lot of companies use. That's a very problematic area because the courts have generally recognized that psychological testing can have proper business objectives, but with the ADA and other privacy interests, there is some concern that these psychological tests occasionally stray into statutorily or constitutionally protected privacy areas of applicants or employees. In fact, recently a major U.S. company settled a class action by job applicants who were required to answer pretty intimate personal questions in pre-employment psychological examinations. The case was settled—but settled for big dollars.

What kinds of questions would generally get an employer in trouble?The questions in this case dealt with whether or not the applicant engaged in any unusual sex practices, questioned whether the male applicant ever wished he was a girl, whether they're strongly attracted by members of their own sex, whether they believe sins are unpardonable, whether they feel sure that there is only one true religion, whether a minister can cure a disease by praying and putting his hands on your head... pretty intimate stuff.

You mention privacy protection surrounding the ADA. What are the issues that employers should be aware of?The Americans with Disabilities Act provides that an employer must keep confidential any information on any employee's medical condition or history and must maintain this information in a separate file. Historically what employers have done is put it in the personnel file. You can't do that anymore. It must be in a separate, locked cabinet away from normal personnel records.

Then who should be allowed to see these records?There's very limited access allowed to those records. Supervisors and managers may have access on a need-to-know basis—first aid and safety personnel may be informed if the employee's disability might require emergency treatment. Government officials have access to this information or folks who deal with workers' comp matters or insurance claims, but otherwise access is out of bounds. And it's a real trap for the unwary employer because the information that goes into these files can be pretty damned interesting stuff. Just take a hypothetical case. An employee is being treated for HIV. The horror-story thought is that someone—a clerk in the insurance claims department—reads about Joe Smith who's being treated for HIV and goes down to the cafeteria for lunch and says "You wouldn't believe what I've found in the file." And suddenly by communicating that information to another person, they've breached a federally protected right of confidentiality.

What can a company do to prevent this type of problem?Our counsel to clients is you have to regularly warn anyone who has access to these materials that they're absolutely confidential as a matter of federal law and that any breach of that confidentiality is a serious disciplinary offense which could result in discharge. I recommend that an employer—to be doubly certain to protect themselves—issue a memo to anyone who has access to that info, documenting the fact that they've been advised that it's confidential. Then if there is a breach down the road, you can argue to the jury that you did everything possible and shouldn't be blamed for any slip up.

What about privacy issues concerning employee evaluations?Early on, there were a number of cases involving the issue of performance evaluations that said really negative things about an employee. So the courts have developed what's known as a qualified privilege that attaches to any communications internally in the HR field that are ordinary and necessary parts of running a personnel operation. In other words, if the plaintiff can show that it's a malicious effort to willfully destroy someone's career, and it's done maliciously and it isn't true, then they can bring a suit. But if it's simply part of the ordinary HR process, there's a qualified privilege.

What's the bottom line in knowing how courts would review a claimed invasion of privacy?Essentially what the courts do in evaluating claims based on privacy is a balancing test. Balancing the business justifications—the legitimate business interests of the employer—against the employee's expectation of privacy or confidentiality. That's why the disclaimers are important. Congress was considering a statute introduced last year called the Privacy for Consumers and Workers Bill, which would require employers to notify employees in advance when they're being monitored or recorded electronically at work. But the law has not passed, and I think it's unlikely that it will in the current political environment. Nevertheless, what this law would have provided—forcing employers to notify employees in advance—is something employers should do anyway so to avoid common law privacy implications.

In many instances when the monitoring is regular and frequent, it makes sense to have employees sign some sort of an acknowledgement that they understand that it's part of their job, that there may be monitoring, there may be surveillance, so then you have a signed acknowledgement that they understand what's going to be done, and therefore they've effectively waived any privacy rights.